Hackers Are Exploiting Discord Links to Serve Up Malware

What is Discord Malware?

Discord is a free online chat application where you can share data in text, audio and video formats. Due to its lightweight nature and flexibility, it is really popular among gamers.

Unfortunately, hackers can use Discord to spread malware. The most common type of malware in Discord is the Remote Access Trojan (RAT). Hackers usually distribute them via malicious links. When RATs are injected into your device, they gain administrative rights and can track your actions, steal data and manipulate your device. They can also install additional malware or make your computer part of the botnet for further virus dissemination.

Hackers Are Exploiting Discord:-

Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware.

The pandemic-induced shift to remote work drove business processes onto these collaboration platforms in 2020, and predictably, 2021 has ushered in a new level cybercriminal expertise in attacking them.

Cisco’s Talos cybersecurity team said in a report on collaboration app abuse this week that during the past year threat actors have increasingly used apps like Discord and Slack to trick users into opening malicious attachments and deploy various RATs and stealers, including Agent Tesla, AsyncRAT, Formbook and others.

People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link,” says Cisco Talos security researcher Nick Biasini. “Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them.”

Among the collaboration app exploitation techniques Cisco’s researchers are warning about, the most common uses the platforms essentially as a file hosting service. Both Discord and Slack allow users to upload files to their servers and create externally accessible links to those files, so that anyone can click on the link and access the file. In many cases, Cisco found, those files are malicious; the researchers list nine recent remote-access spy tools that hackers have tried to install in this fashion, including Agent Tesla, LimeRAT, and Phoenix Keylogger.

The links don’t have to be delivered to victims inside of Slack or Discord. They can also be served up over email, where hackers can far more easily trawl for victims en masse, impersonate a victim’s colleagues, and reach users with whom they have no previous connection. As a result, Cisco has recorded a major uptick in the use of those links to deliver malware via email in the past year. “Over the last several months we’ve seen tens of thousands, and the rate has been steadily increasing,” says Biasini. “Right now it appears to be peaking.”

The Discord API has turned into an effective tool for attackers to exfiltrate data from the network. The C2 communications are enabled through webhooks, which the researchers explained were developed to send automated messages to a specific Discord server, which are frequently linked with additional services like GitHub or DataDog.

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” they said. The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network, they added.

“The versatility and accessibility of Discord webhooks makes them a clear choice for some threat actors, according to the analysis: “With merely a few stolen access tokens, an attacker can employ a truly effective malware campaign infrastructure with very little effort. The level of anonymity is too tempting for some threat actors to pass up.”

This communication flow can also be used to alert attackers when there are new systems available to be hijacked, and delivers updated information about those they’ve already infiltrated, Talos said.